On Tue, Jun 22, 2010 at 7:17 AM, Dick Hardt <dick.ha...@gmail.com> wrote: >> Thanks for writing this. A few questions... >> >> Do we need both `issuer` and `key_id`? Shouldn't we use `client_id` >> instead at least for OAuth? > > it is the ID of the key, not the client -- used to rollover keys
I don't think key id is necessary, but adding Hannes since he called me crazy for saying that at IIW. =) The average client is going to have very few keys. Probably just 1. 3 at the outside. If a server needs to verify, it can literally iterate over all of the keys associated with the client until it finds the right one. There is some precedent for this approach: http://support.microsoft.com/kb/906305/en-us. Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
